Many central online services at This article describes what Two-factor Authentication (2FA) is, why the University of Waterloo require uses it and how to get started to enrol in 2FA. For complete information about 2FA at UWaterloo, please review IST’s two-factor webpage: https://uwaterloo.ca/two-factor-authentication for access. /.
Included in this article:
| Table of Contents | ||||
|---|---|---|---|---|
|
What is two-factor authentication?
Two-factor authentication (2FA), also known as multi-factor authentication, is the process of authenticating to an online service using something you know as the first factor (i.e. a password) and something you physically have as the second factor. Traditionally, the second authentication factor would be a physical fob or token, with the most popular form having a six-digit display.
| Note |
|---|
Many central online services at the University of Waterloo require two-factor authentication for access. You will need to enrol in 2FA before being able to access these services. |
Why is Waterloo doing this?
Password-based attacks account for most of the cyber-attacks against the University. The COVID-19 pandemic has resulted in a dramatic increase in phishing attacks against UW, and because people frequently re-use passwords, breaches at other sites can still impact the University because of a related attack called “credential stuffing”. In short, the password alone is obsolete. Stronger authentication is required for services on the public Internet. See:
How to Enrol in 2FA
...
The use of 2FA at Waterloo actually dates back to 1996, when Data Processing (DP) implemented the SecurID system to protect the finance system. The Department of Computing Services (DCS) and the Math Faculty Computing Facility (MFCF) also made use of the SecurID system to secure privileged access to the UNIX systems they managed. IST continued using 2FA until 2004 when the main finance system was upgraded; the Faculty of Mathematics has continued using various forms of 2FA since then.
In 2016, IST began piloting Duo Security’s 2FA solution and several years later, after an RFP, Duo Security was chosen as the University’s 2FA provider. Duo is a cloud service and enjoys wide adoption by colleges and universities in the United States. Duo 2FA was made available on many UW systems, on a voluntary basis, in 2019. The Duo 2FA service supports a variety of options as the second-factor authenticator including smartphones, SMS, voice callback, tokens/fobs, and YubiKeys. Some of the authenticators are limited in what services they support, and the management overhead also varies.
What’s the impact? What do I need to do?
Effective November 2020, access to Workday, myPensionInfo, and other UW services that retirees and alumni may use, will require two-factor authentication for access. You will need to enrol in 2FA before being able to access these services.
IST strongly recommends that retirees and alumni consider one of two authenticator options for 2FA:
Duo Push – This requires you to download a small app called ‘Duo Mobile’ to your Android/iPhone smartphone, or tablet, with an Internet connection.
Call Me – This requires a telephone, landline or cell.
In both cases, when accessing UW services after November 2020, you need to have your device or phone nearby.
Using the Duo Push option
Download the Duo Mobile App
From the iPhone App store or Play Store, install the ‘Duo Mobile’ app by Duo Security.
Enroll the device
Authenticate with your 8-character username @uwaterloo.ca (e.g. j25rober@uwaterloo.ca) and password
Select Mobile phone (recommended option) or Tablet
To complete the enrolling process, follow the instructions listed on this page: DUO Device Management instructions
Authenticating
The guide below shows how to sign into a 2FA protected service such as Workday using DUO.
Sign into the service (e.g. Workday) with 8-character username @uwaterloo.ca (e.g. j25rober@uwaterloo.ca) and password
When presented with the DUO prompt, click Send Me a Push.
On your smartphone, you will be prompted to Accept or Deny the authentication request.
Using the Call Me option
Enroll using your telephone number
To setup 2FA on your account, do the following:
Authenticate with your 8-character username @uwaterloo.ca (e.g. j25rober@uwaterloo.ca) and password
Select the Landline option
To complete the enrolling process, follow the instructions listed on this page: DUO Device Management instructions
Authenticating
The guide below shows how to sign into a 2FA protected service such as Workday using DUO.
Sign into the service (e.g. Workday) with 8-character username @uwaterloo.ca (e.g. j25rober@uwaterloo.ca) and password
When presented with the DUO prompt, click Call Me.
Answer the ringing telephone and listen to the voice prompt.
The preferred second-factor option is the Duo Mobile app
The app is available for iOS and Android devices, with or without cellular access
While an Internet connection is required for adding the device to a user’s Duo account, the app can be used to generate OTP codes even when cellular data or Wi-Fi networks are not available
The app is simple to register and use. It functions in various modes, with or without cellular data or Wi-Fi connection
Any Duo-protected application can be authenticated with the app. It is not necessary to disclose the phone number for a smartphone to use the app
Download the Duo Mobile app
Additional Resources for enrolling in 2FA
Second-factor Options
For alternative second-factor options please see Second factor selection criteria
Device Management
For information on device management, please see Duo device management instructions
Related articles
| Filter by label (Content by label) | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| Info |
|---|
Need help?Contact the IST Service Deskonline or 519-888-4567 ext. 44357. |
| Tip |
|---|
Article feedbackIf you’d like to share any feedback about this article, please let us know. |